There is new information about this bug available and it looks even more serious than before now.
See Hardened-PHP Project security advisory at http://www.hardened-php.net/advisory_092006.133.html Affected: PHP 5 <= 5.1.6, PHP 4 < 4.3.0 The bug can be triggered when user input is passed to the unserialzie() function, e.g. via a cookie. " The Hardened-PHP Project will release a proof of concept exploit for this vulnerability after the release of PHP 5.2.0 has happened and a few weeks have passed. "